Recent investigations have uncovered significant security vulnerabilities in several widely used Google Chrome extensions. These issues primarily involve the transmission of sensitive data over unencrypted HTTP connections and the embedding of hard-coded credentials within the extensions’ code. Such practices expose users to potential privacy breaches and security threats.
Unencrypted Data Transmission
A number of Chrome extensions have been identified as transmitting user data over HTTP, lacking the protection offered by HTTPS encryption. This unencrypted transmission can be intercepted by malicious actors, especially on unsecured networks like public Wi-Fi, leading to potential data theft or manipulation.
Notable extensions involved include:
– SEMRush Rank (Extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl): These extensions communicate with rank.trellian[.]com over HTTP, exposing browsing domains and other user data.
– Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh): Upon uninstallation, this extension sends data to browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com via HTTP, potentially revealing user information.
– MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj): These extensions transmit unique machine identifiers and operating system details to g.ceipmsn[.]com over HTTP.
– DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc): This password manager sends telemetry data, including extension version and browser language, to stats.itopupdate[.]com via HTTP, raising concerns about its overall security posture.
The absence of HTTPS encryption in these extensions makes them susceptible to adversary-in-the-middle (AitM) attacks, where attackers can intercept and manipulate the transmitted data.
Hard-Coded Credentials
In addition to unencrypted data transmission, some extensions have been found to contain hard-coded API keys, secrets, and tokens within their JavaScript code. These embedded credentials can be exploited by attackers to perform unauthorized actions, such as corrupting analytics data or inflating service costs.
Examples include:
– Online Security & Privacy (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] – New Tab Page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite – Amazon Research Tool (ID: lnbmbgocenenhhhdojdielgnmeflbnfb): These extensions expose hard-coded Google Analytics 4 (GA4) API secrets, which could be used to corrupt analytics data.
– Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc): Contains a Microsoft Azure API key for speech recognition, potentially allowing attackers to inflate service costs or exhaust usage limits.
– Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Tool & Screen Capture (ID: mfpiaehgjbbfednooihadalhehabhcjo): Expose Amazon Web Services (AWS) access keys used for uploading screenshots, which could be exploited to access or manipulate stored data.
– Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa): Reveals a telemetry key named StatsApiKey, potentially allowing unauthorized access to user data.
– Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo): Incorporates a third-party library containing hard-coded credentials, including API keys.
– Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg): Exposes a Tenor GIF search API key, which could be misused for unauthorized API requests.
Implications and Recommendations
The presence of these vulnerabilities in popular Chrome extensions poses significant risks to user privacy and security. Unencrypted data transmission can lead to data interception and manipulation, while hard-coded credentials can be exploited for unauthorized access and actions.
Users are advised to:
– Review Installed Extensions: Regularly check the permissions and data handling practices of installed extensions.
– Update Extensions: Ensure all extensions are updated to their latest versions, as developers may have addressed these vulnerabilities in recent updates.
– Limit Extension Use: Only install extensions from reputable sources and limit the number of extensions to reduce potential attack vectors.
– Monitor Network Traffic: Be vigilant about the data transmitted by extensions and report any suspicious activity to the relevant authorities or developers.
Developers are encouraged to:
– Implement HTTPS: Ensure all data transmissions are encrypted using HTTPS to protect user data from interception.
– Avoid Hard-Coding Credentials: Use secure methods to handle API keys and other sensitive information, such as environment variables or secure storage solutions.
– Conduct Security Audits: Regularly perform security assessments of their extensions to identify and mitigate potential vulnerabilities.
By addressing these issues, both users and developers can contribute to a safer browsing experience and protect sensitive information from potential threats.
